In 2011, a company called Inteligistics announced that it would be building a wireless asset tracking system for the U.S. Navy, according to a report by IoT.now. This technology would enable the Navy to monitor the location, inventory and environmental data for thousands of shipping containers throughout the world. This supply chain management system for naval logistics utilizes a combination of radio frequency identification (RFID), ZigBee-compliant wireless transmitters, and cellular phone connections to collect data from each shipping container that utilizes the system. This would be one of the Navy’s first plunges into the so-called Internet of Things (IoT).
ZigBee is a relatively young wireless mesh technology which allows properly fitted devices, such as sensors, thermostats, door locks and light bulbs, to communicate with a central coordinator on the same wireless network. Thanks to the mesh technology, devices that are designated as routers can relay information sent from some of the more distant endpoint devices. ZigBee (named after the waggle dance of honey bees) is the technical specification of a set of high-level protocols that follow the IEEE 802.15.4 wireless standard.
Unlike Wi-Fi (802.11 Wireless Ethernet), ZigBee transceivers use very little power and have intentionally short transmission ranges. Most endpoint ZigBee devices sleep nearly all the time until an event occurs which triggers a short-burst transmission of data. While the IEEE set a standard for low-power, short-range radios at the physical (PHY) and media access control (MAC) layers, the ZigBee Alliance set the specifications (Table 1) for how these devices communicate with one another at the network (NWK) and application layers (APS/APL).
The Internet of Things is now a reality, in that these small, low-powered wireless devices are becoming more and more connected to the Internet. With ZigBee devices, this requires jumping through some technical hoops, in that this technology is not initially compatible with Wi-Fi. The aforementioned central coordinator, which is a crucial part of every ZigBee network, must be modified so that it can communicate with an Ethernet network and, from there, send its data to a cloud service which can then interact with a user’s phone app or laptop.
Some of the newer IoT products, such as Samsung SmartThings and Philips Hue, already provide a bridge which is built into their coordinator hubs. A network cable is provided for connecting the hubs directly to the wireless router. These companies even provide cloud services and phone apps for their customers.
Space and Naval Warfare Systems Center Pacific helped the U.S. Navy overcome this technology barrier with respect to the aforementioned ZigBee cargo container monitoring system. An externally mounted phone adapter, called the Handheld Network Access Device (HNAD), allows a user to walk into a shipping container and use an Android-based smartphone to communicate with the ZigBee network. The system implements a Bluetooth-to-ZigBee bridge which allows the endpoint devices to communicate directly with the phone which, in turn, displays inventory data on the screen.
There are competitors to ZigBee that do not necessarily follow the IEEE 802.15.4 standard.
Technologies such as Z-Wave, Thread, Bluetooth Low Energy (not regular Bluetooth) and ANT are paving their own way into the IoT marketplace. While they do tend to track closely with the ZigBee power and frequency specifications (Table 2), they have their own protocols and network topologies. To the customer who uses them, they seem to be the same type of products. They all utilize endpoint devices and a main control hub, as well as cloud services and phone apps. All have data rates that are less than 1 Mbps and a low transmission power of well under 100 mW. All use AES 128-bit symmetric encryption.
ZigBee is not bullet-proof when it comes to hacking. Even though the data have encryption, the way the system is implemented by the manufacturer can introduce vulnerabilities. When an endpoint device, such as a light bulb or thermostat, is added to a ZigBee network, it must first share its key with the coordinator device. This is done wirelessly and in plaintext. This very short time period can be exploited by a vigilant hacker with the appropriate wireless sniffing tools. Once the key is compromised, a hacker can introduce his own devices, thereby exploiting the network. This means a real-world kinetic change could be triggered, such as the lights going out, the heat turning on or the door locks disengaging. Each manufacturer has its own way of implementing security, so the risk may vary depending on which system you are using.
Any wireless mesh network that is connected to a cloud service and controlled remotely can be open to attacks from the Internet, without any need for the hacker to be within radio reception range of the devices.
Take, for instance, the shipping containers that were previously mentioned. There have already been instances of complex hacking schemes that involved purpose-built hardware and software designed to infiltrate and exploit shipping container tracking systems.
In 2013, European officials became suspicious when shipping containers containing basic items, such as bananas, were being specifically sought out and stolen, according to a report by
Motherboard. It turned out that these containers were actually carrying illegal drugs and weapons that were, of course, not shown on the manifests. Company databases had been modified, allowing traffickers to send large shipments of contraband around the world under the guise of fruit and other benign cargo. The cyber-hack began with simple social engineering: a spear phishing attack through emails that tricked employees into installing malware, according to Motherboard.
ZigBee and other mesh-networking technologies have shown promise in residential smart homes, as well as in military and commercial applications. Just like everything else that moves data, devices will need to maintain security beyond standard encryption.
From the manufacturer that implements it, to the installer that configures it, and to the user who operates it, ZigBee networks will require proper planning, maintenance and patching to keep a high level of availability and risk mitigation.
Lt. Donald Collins is an Information Professional officer and the Information Assurance Manager for Detachment 802, Commander, Naval Forces Europe - Commander, Naval Forces Africa - Commander, 6th Fleet.
The views expressed here are solely those of the author, and do not necessarily reflect those of the Department of the Navy, Department of Defense or the United States government.